There was a discussion a few weeks back about Ruby's handling of ^ and $ in
regexps, and I have realised what may me so uncomfortable with it. I'm used
to matching strings on /^...$/ to mean "match exactly this", and it doesn't
work. In fact it could lead to very nasty security holes. Consider this
example:
str = cgi['unsafe_item']
str.untaint if str =~ /^[a-z0-9]+$/
Looks perfectly safe, doesn't it? Errm, no.
str = "rf -rf /*\nabcde\ndrop table master_db;"
puts "oops!" if str =~ /^[a-z0-9]+$/ #>> "oops!"
For this to be safe, you actually have to write:
str.untaint if str =~ /\A[a-z0-9]+\z/
The asymmetry between \A and \z is annoying (I have to keep looking it up to
remember which one is capital and which is lower-case), and it leaves
regular expressions looking a lot less readable.
I guess this is fixed in concrete now, but I thought it was pointing this
out as potentially a very important "gotcha"
Cheers,
Brian.